Miscellaneous Tech News

mlnews

WhatsApp “end-to-end encrypted” messages aren’t that private after all

Millions of WhatsApp messages are reviewed by both AI and human moderators.
Yesterday, independent newsroom ProPublica published a detailed piece examining the popular WhatsApp messaging platform's privacy claims. The service famously offers "end-to-end encryption," which most users interpret as meaning that Facebook, WhatsApp's owner since 2014, can neither read messages itself nor forward them to law enforcement. This claim is contradicted by the simple fact that Facebook employs about 1,000 WhatsApp moderators whose entire job is—you guessed it—reviewing WhatsApp messages that have been flagged as "improper."

scottalanmiller

@mlnews said in Miscellaneous Tech News:

WhatsApp “end-to-end encrypted” messages aren’t that private after all

Millions of WhatsApp messages are reviewed by both AI and human moderators.
Yesterday, independent newsroom ProPublica published a detailed piece examining the popular WhatsApp messaging platform's privacy claims. The service famously offers "end-to-end encryption," which most users interpret as meaning that Facebook, WhatsApp's owner since 2014, can neither read messages itself nor forward them to law enforcement. This claim is contradicted by the simple fact that Facebook employs about 1,000 WhatsApp moderators whose entire job is—you guessed it—reviewing WhatsApp messages that have been flagged as "improper."

I saw this one and Ars Technica needs a huge slap for not just click bait title, but flat out lying.

The messages are 100% private in the same way any other message is. The article even mentions how they are so private that the recipient has to COPY the message to a non-secure channel and send it again (e.g. copy/paste essentially) to let someone else see it. Because the privacy is very, very private on WhatsApp.

mlnews

Apple dealt major blow in Epic Games trial

Apple has been dealt a major blow in its ongoing trial against Fortnite-maker Epic Games.
A court in Oakland, California has ruled that Apple cannot stop app developers directing users to third-party payment options. Apple had argued that all apps should use Apple's own in-app payment options. But Epic Games challenged the up-to-30% cut Apple takes from purchases and argued that the App Store was a monopoly. On Friday, Judge Yvonne Gonzalez-Rogers issued a permanent injunction that said Apple could no longer prohibit developers linking to their own purchasing mechanisms. For example, a movie-streaming service will now be able to tell customers to subscribe via their own website, without using Apple's in-app purchasing mechanism. Epic had argued that this was unreasonable, and that the company should be able to inform users that they could make purchases away from the App Store. Epic has also taken legal action against Google over its Play Store.

1337

@mlnews said in Miscellaneous Tech News:

Apple dealt major blow in Epic Games trial

Apple has been dealt a major blow in its ongoing trial against Fortnite-maker Epic Games.
A court in Oakland, California has ruled that Apple cannot stop app developers directing users to third-party payment options. Apple had argued that all apps should use Apple's own in-app payment options. But Epic Games challenged the up-to-30% cut Apple takes from purchases and argued that the App Store was a monopoly. On Friday, Judge Yvonne Gonzalez-Rogers issued a permanent injunction that said Apple could no longer prohibit developers linking to their own purchasing mechanisms. For example, a movie-streaming service will now be able to tell customers to subscribe via their own website, without using Apple's in-app purchasing mechanism. Epic had argued that this was unreasonable, and that the company should be able to inform users that they could make purchases away from the App Store. Epic has also taken legal action against Google over its Play Store.

Good news!

Obsolesce

Apple Issues Emergency Security Updates to Close a Spyware Flaw

Researchers at Citizen Lab found that NSO Group, an Israeli spyware company, had infected Apple products without so much as a click.

FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild

DustinB3403

Apple releases fix for zero click vulnerability in all apple devices

If you haven't seen it, update your apple gear now. A zero click has been discovered, created by NSO, that allows for zero click ownership of any Apple Device.

Obsolesce

Apple issues urgent iPhone software update to address critical spyware vulnerability

If you still haven't seen it, update your apple devices!

mlnews

TikTok faces privacy investigations by EU watchdog

TikTok is under investigation by The Irish Data Protection Commission (DPC) - its lead regulator in the EU - over two privacy-related issues.
The watchdog is looking into its processing of children's personal data, and whether TikTok is in line with EU laws about transferring personal data to other countries, such as China. TikTok said privacy was "our highest priority". The Irish DPC said it was specifically looking into GDPR-related issues. These are the EU privacy laws which can potentially lead to enormous fines of up to 4% of a company's global turnover. It said the first inquiry would examine "the processing of personal data... for users under age 18, and age verification measures for persons under 13". It will also look into how transparent TikTok has been about how it processes such data.

mlnews

Cryptocurrency launchpad hit by $3 million supply chain attack

SushiSwap's MISO launchpad hacked via a malicious GitHub commit.
SushiSwap's chief technology officer says the company's MISO platform has been hit by a software supply chain attack. SushiSwap is a community-driven decentralized finance (DeFi) platform that lets users swap, earn, lend, borrow, and leverage cryptocurrency assets all from one place. Launched earlier this year, Sushi's newest offering, Minimal Initial SushiSwap Offering (MISO), is a token launchpad that lets projects launch their own tokens on the Sushi network. Unlike cryptocurrency coins that need a native blockchain and substantive groundwork, DeFi tokens are an easier alternative to implement, as they can function on an existing blockchain. For example, anybody can create their own "digital tokens" on top of the Ethereum blockchain without having to recreate a new cryptocurrency altogether.

stacksofplates

@mlnews said in Miscellaneous Tech News:

Cryptocurrency launchpad hit by $3 million supply chain attack

SushiSwap's MISO launchpad hacked via a malicious GitHub commit.
SushiSwap's chief technology officer says the company's MISO platform has been hit by a software supply chain attack. SushiSwap is a community-driven decentralized finance (DeFi) platform that lets users swap, earn, lend, borrow, and leverage cryptocurrency assets all from one place. Launched earlier this year, Sushi's newest offering, Minimal Initial SushiSwap Offering (MISO), is a token launchpad that lets projects launch their own tokens on the Sushi network. Unlike cryptocurrency coins that need a native blockchain and substantive groundwork, DeFi tokens are an easier alternative to implement, as they can function on an existing blockchain. For example, anybody can create their own "digital tokens" on top of the Ethereum blockchain without having to recreate a new cryptocurrency altogether.

Thats not really a supply chain attack. It sounds like someone who had access to contribute to their private repo committed malicious code that wasn't reviewed.

Guessing they used that term since it's hot news right now.

Dashrender

@stacksofplates said in Miscellaneous Tech News:

@mlnews said in Miscellaneous Tech News:

Cryptocurrency launchpad hit by $3 million supply chain attack

SushiSwap's MISO launchpad hacked via a malicious GitHub commit.
SushiSwap's chief technology officer says the company's MISO platform has been hit by a software supply chain attack. SushiSwap is a community-driven decentralized finance (DeFi) platform that lets users swap, earn, lend, borrow, and leverage cryptocurrency assets all from one place. Launched earlier this year, Sushi's newest offering, Minimal Initial SushiSwap Offering (MISO), is a token launchpad that lets projects launch their own tokens on the Sushi network. Unlike cryptocurrency coins that need a native blockchain and substantive groundwork, DeFi tokens are an easier alternative to implement, as they can function on an existing blockchain. For example, anybody can create their own "digital tokens" on top of the Ethereum blockchain without having to recreate a new cryptocurrency altogether.

Thats not really a supply chain attack. It sounds like someone who had access to contribute to their private repo committed malicious code that wasn't reviewed.

Guessing they used that term since it's hot news right now.

Yeah - like calling everything a zero day exploit when it's not.

1337

@stacksofplates said in Miscellaneous Tech News:

@mlnews said in Miscellaneous Tech News:

Cryptocurrency launchpad hit by $3 million supply chain attack

SushiSwap's MISO launchpad hacked via a malicious GitHub commit.
SushiSwap's chief technology officer says the company's MISO platform has been hit by a software supply chain attack. SushiSwap is a community-driven decentralized finance (DeFi) platform that lets users swap, earn, lend, borrow, and leverage cryptocurrency assets all from one place. Launched earlier this year, Sushi's newest offering, Minimal Initial SushiSwap Offering (MISO), is a token launchpad that lets projects launch their own tokens on the Sushi network. Unlike cryptocurrency coins that need a native blockchain and substantive groundwork, DeFi tokens are an easier alternative to implement, as they can function on an existing blockchain. For example, anybody can create their own "digital tokens" on top of the Ethereum blockchain without having to recreate a new cryptocurrency altogether.

Thats not really a supply chain attack. It sounds like someone who had access to contribute to their private repo committed malicious code that wasn't reviewed.

Guessing they used that term since it's hot news right now.

I wonder if that isn't a supply chain attack anyway. Private repo or not, shouldn't make a difference in that determination. "Private" is just private in the sense that you have to be invited to contribute.

What makes it a supply chain attack is that the hacker didn't attack any production servers. He attacked the software supply chain by injecting malicious code in their repository. Which eventually got deployed and ended up running.

If he had gained access to production servers somehow and made the exact same changes on the software running, it would not have been a supply chain attack.

Don't know how the sushi-thing works but they say it's community driven and decentralized which sound like the malicious code might have ended up deployed in many places.

stacksofplates

@pete-s said in Miscellaneous Tech News:

@stacksofplates said in Miscellaneous Tech News:

@mlnews said in Miscellaneous Tech News:

Cryptocurrency launchpad hit by $3 million supply chain attack

SushiSwap's MISO launchpad hacked via a malicious GitHub commit.
SushiSwap's chief technology officer says the company's MISO platform has been hit by a software supply chain attack. SushiSwap is a community-driven decentralized finance (DeFi) platform that lets users swap, earn, lend, borrow, and leverage cryptocurrency assets all from one place. Launched earlier this year, Sushi's newest offering, Minimal Initial SushiSwap Offering (MISO), is a token launchpad that lets projects launch their own tokens on the Sushi network. Unlike cryptocurrency coins that need a native blockchain and substantive groundwork, DeFi tokens are an easier alternative to implement, as they can function on an existing blockchain. For example, anybody can create their own "digital tokens" on top of the Ethereum blockchain without having to recreate a new cryptocurrency altogether.

Thats not really a supply chain attack. It sounds like someone who had access to contribute to their private repo committed malicious code that wasn't reviewed.

Guessing they used that term since it's hot news right now.

I wonder if that isn't a supply chain attack anyway. Private repo or not, shouldn't make a difference in that determination. "Private" is just private in the sense that you have to be invited to contribute.

What makes it a supply chain attack is that the hacker didn't attack any production servers. He attacked the software supply chain by injecting malicious code in their repository. Which eventually got deployed and ended up running.

If he had gained access to production servers somehow and made the exact same changes on the software running, it would not have been a supply chain attack.

Don't know how the sushi-thing works but they say it's community driven and decentralized which sound like the malicious code might have ended up deployed in many places.

It's not that it's a private repo. It's that the person was allowed to modify the code base. Supply chain isn't opening a PR to a project and having it approved, that's just insider malicious coding.

gjacobse

@mlnews said in Miscellaneous Tech News:

TikTok faces privacy investigations by EU watchdog

TikTok is under investigation by The Irish Data Protection Commission (DPC) - its lead regulator in the EU - over two privacy-related issues.
The watchdog is looking into its processing of children's personal data, and whether TikTok is in line with EU laws about transferring personal data to other countries, such as China. TikTok said privacy was "our highest priority". The Irish DPC said it was specifically looking into GDPR-related issues. These are the EU privacy laws which can potentially lead to enormous fines of up to 4% of a company's global turnover. It said the first inquiry would examine "the processing of personal data... for users under age 18, and age verification measures for persons under 13". It will also look into how transparent TikTok has been about how it processes such data.

I'd be okay if TikTok was blocked by ever ISP - and every (TikTok) server combusted...

1337

Critical bug being exploited in Zoho ManageEngine.

https://us-cert.cisa.gov/ncas/alerts/aa21-259a

black3dynamite

Ubuntu 18.04.6 LTS
https://wiki.ubuntu.com/BionicBeaver/ReleaseNotes

When next year comes around, we will have three active LTS releases plus 16.04 LTS if you have extended security maintenance.

mlnews

Bitcoin mining producing tonnes of waste

Bitcoin mining produces electronic waste (e-waste) annually comparable to the small IT equipment waste of a place like the Netherlands, research shows.
Miners of the cryptocurrency each year produce 30,700 tonnes of e-waste, Alex de Vries and Christian Stoll estimate. That averages 272g (9.5oz) per transaction, they say. By comparison, an iPhone 13 weighs 173g (6.1oz). Miners earn money by creating new Bitcoins, but the computing used consumes large amounts of energy. They audit Bitcoin transactions in exchange for an opportunity to acquire the digital currency. Attention has been focused on the electricity this consumes - currently more than the Philippines - and the greenhouse gas pollution caused as a result.

mlnews

NFT-based fantasy football card firm raises $680m

French firm Sorare, which sells football trading cards in the form of non-fungible tokens (NFTs), has raised $680m (£498m).
The NFT-based cards are used by fans to create fantasy football teams which can then "play" each other. The funding was led by tech investor Softbank, with ex-England international Rio Ferdinand also putting in money. NFTs are controversial, with concerns over financial risk and environmental impact. An NFT is a "one-of-a-kind" digital asset that can be bought and sold like any other piece of property. As with crypto-currency, a record of who owns what is stored on a shared ledger known as the blockchain and maintained by thousands of computers around the world.

mlnews

Security audit raises severe warnings on Chinese smartphone models

The audit red-flagged Xiaomi and Huawei phones but gave OnePlus a pass.
The Lithuanian National Cyber Security Centre (NCSC) recently published a security assessment of three recent-model Chinese-made smartphones—Huawei's P40 5G, Xiaomi's Mi 10T 5G, and OnePlus' 8T 5G. Sufficiently determined US shoppers can find the P40 5G on Amazon and the Mi 10T 5G on Walmart.com—but we will not be providing direct links to those phones, given the results of the NCSC's security audit. The Xiaomi phone includes software modules specifically designed to leak data to Chinese authorities and to censor media related to topics the Chinese government considers sensitive. The Huawei phone replaces the standard Google Play application store with third-party substitutes the NCSC found to harbor sketchy, potentially malicious repackaging of common applications.

1337

@mlnews said in Miscellaneous Tech News:

Security audit raises severe warnings on Chinese smartphone models

The audit red-flagged Xiaomi and Huawei phones but gave OnePlus a pass.
The Lithuanian National Cyber Security Centre (NCSC) recently published a security assessment of three recent-model Chinese-made smartphones—Huawei's P40 5G, Xiaomi's Mi 10T 5G, and OnePlus' 8T 5G. Sufficiently determined US shoppers can find the P40 5G on Amazon and the Mi 10T 5G on Walmart.com—but we will not be providing direct links to those phones, given the results of the NCSC's security audit. The Xiaomi phone includes software modules specifically designed to leak data to Chinese authorities and to censor media related to topics the Chinese government considers sensitive. The Huawei phone replaces the standard Google Play application store with third-party substitutes the NCSC found to harbor sketchy, potentially malicious repackaging of common applications.

It's outrageous! Phones are only allowed to leak information to the US authorities!